Over than 140 International Airlines could have suffered a major cyber security and data breach. This thanks to a vulnerability in the Amadeus system. It could affect tens of millions of travelers
More than 140 International Airlines could have suffered a major security breach. Thanks to a flaw in the Amadeus online reservation system, the malicious hackers could have access to private informations of flight bookings made by millions of customers. It has been discovered by the cyber security expert and hactivist, Noam Roten, who works at Safety Detectiveâs research labs. The system controls over 44% of the of the international carriers market, and the vulnerability potentially affects tens of millions of travelers. As described, the security bug was found when trying to book a flight on the EL AL airline, Israel’s national carrier, which sent the security researchers a link to check the PNR: âhttps://fly.elal.co.il/LOTS-OF-NUMBERS-HEREâ. From there it was only a matter of changing the RULE_SOURCE_1_ID, which allowed them to view any Passenger Name Record (PNR), giving them access to the passengers’ names as well as to all associated flight details.
How the flaw works and what is possible to to exploiting
Not only. Using the customer name and the PNR code, the cyber security researchers were then able to successfully log into the Airline customer portal. According to which allowed them to Safety Detectiveâs research labs, it granted them to âmake changes, claim frequent flyer miles to a personal account, assign seats and meals, and update the customerâs email and phone number, which could then be used to cancel/change flight reservation via customer service.” After running a small and non-threatening script to check for any brute-force protections, none of which were found, âwe were able to find PNRs of random customers, which included all of their personal information.â, the companyâs blog continues. âWe contacted ELAL immediately to point out the threat and prompt them to close the breach before it was discovered by anyone with malicious intentions.â